Remove enforcing=0 for sealed composefs

jeckersb · cgwalters · commit 86ba489d53db · 2026-03-06T19:16:57.000-05:00
Signed-off-by: John Eckersberg &lt;jeckersb@redhat.com&gt;
diff --git a/contrib/packaging/seal-uki b/contrib/packaging/seal-uki
@@ -45,10 +45,6 @@ fi
 # Baseline container ukify options
 containerukifyargs=(--rootfs "${target}")
 
-# WORKAROUND: SELinux must be permissive for sealed UKI boot
-# See https://github.com/bootc-dev/bootc/issues/1826
-containerukifyargs+=(--karg enforcing=0)
-
 missing_verity=()
 
 if [[ $allow_missing_verity == "true" ]]; then
diff --git a/crates/xtask/src/tmt.rs b/crates/xtask/src/tmt.rs
@@ -31,10 +31,8 @@ const ENV_BOOTC_UPGRADE_IMAGE: &str = "BOOTC_upgrade_image";
 // Distro identifiers
 const DISTRO_CENTOS_9: &str = "centos-9";
 
-const COMPOSEFS_KERNEL_ARGS: [&str; 1] = ["--karg=enforcing=0"];
-
 // Import the argument types from xtask.rs
-use crate::{BootType, Bootloader, RunTmtArgs, SealState, TmtProvisionArgs};
+use crate::{Bootloader, RunTmtArgs, SealState, TmtProvisionArgs};
 
 /// Generate a random alphanumeric suffix for VM names
 fn generate_random_suffix() -> String {
@@ -488,11 +486,6 @@ pub(crate) fn run_tmt(sh: &Shell, args: &RunTmtArgs) -> Result<()> {
                 let filesystem = args.filesystem.as_deref().unwrap_or("ext4");
                 opts.push(format!("--filesystem={}", filesystem));
                 opts.push("--composefs-backend".into());
-
-                // UKI install fails with extra args
-                if args.boot_type == BootType::Bls {
-                    opts.extend(COMPOSEFS_KERNEL_ARGS.map(|x| x.into()));
-                }
             }
 
             if let Some(b) = &args.bootloader {
diff --git a/docs/src/experimental-composefs.md b/docs/src/experimental-composefs.md
@@ -159,7 +159,6 @@ The composefs backend is experimental; on-disk formats are subject to change.
 ### Deployment blockers
 
 - [Garbage collection](https://github.com/bootc-dev/bootc/pull/2040): In progress
-- [SELinux enforcement](https://github.com/bootc-dev/bootc/issues/1826): Currently requires `enforcing=0`
 - Extended install APIs: Ability to cleanly implement anaconda %post and osbuild post mutations and general post-install pre-reboot; right now some tools just mount the deployment directory (note this one also relates to [APIs in general](https://github.com/bootc-dev/bootc/issues/522))
 - [OCI registry install](https://github.com/bootc-dev/bootc/issues/1703): Installing from registry can fail due to config mismatch (suggestion: just clean reject v2s2)
 - [composefs-rs repository finalization](https://github.com/bootc-dev/bootc/issues/1320)
